Smishing: SMS + Phishing, Present And On The Rise On Android

Researchers have announced the discovery of yet another vulnerability on Android, the popular smartphone platform from Google. It's a phishing technique that uses SMS messages as a vector. Threats like these are why jumping on the BYOD trend require the use of mobile security tools like MDM security software from AlertBoot Mobile Security.

Deceptive text messages affects all Android versions, but possible not all devices

How it works

What is Smishing?

Deceptive Text Messages, Affects All Android Versions

A computer science professor at North Carolina State University announced his findings earlier this month. The vulnerability is present in the Android Open Source Project, meaning all Android versions are affected, including the latest version, Jelly Bean. In a nutshell: Android can run apps that make it appears as if one has received a text message from a friend. To clarify an actual text message is not sent.

(I should note that a November 14 update at the NSCU page has the following update: " We was [sic] informed (by a friend) that Android 4.2 fixed this smishing bug -- still need a real device for confirmation by ourselves.")

It was pointed out that this does not mean that all devices running Android are affected. My personal understanding is that the fractured nature of Android makes it impossible to positively claim that all devices are being affected (e.g., the OS on a Samsung device is quite different from the same running on an HTC smartphone, so the threat could be present in the one or the other, but not necessarily on both). On the other hand, if the vulnerability exists at the core of Android, there's no reason why it wouldn't exist in certain Android flavors.

The vulnerability was present in the following phones that were tested by the NCSU team: Google Galaxy Nexus, Google Nexus S, Samsung Galaxy SIII, HTC One X, HTC Inspire, and Xiaomi MI-One. Google was notified, who confirmed the vulnerability.

How Does It Work?

The vulnerability uses text messages to phish cell phone owners. Social engineering (i.e., online grifting) is at the heart of the scam. Basically, a rogue app can make it appear as if the phone's owner has received an SMS from someone he or she knows (or, more specifically, someone who's on one's contact list).

The message directs the phone owner to do one of two things: (1) dial a particular number or (2) visit a particular url (website). In the first instance, the phone will prompt you to dial a premium phone number (aka, a 1-900 number that bills you ridiculous rates per minute). In the second, a visit to the page could either (a) install a rogue app that runs in the background of your smartphone, stealing passwords, online banking info, and other personal information; this is commonly known as "drive-by hacking" or (b) scam you to reveal personal data. For example, the SMS and the url could point to a counterfeit Bank of America page asking you to reset your password.

A video of the attack can be found on this page. Most notable about the video? The revelation that the smartphones in question don't even have a SIM card in place. Without a SIM card, it is impossible to receive a text message, confirming the app-based nature of this attack.

What is Smishing?

Smishing is a combination of the words SMS and phishing. The former stands for "Short Message Service" and is the official term for text messages on your cellular phone. The latter is, of course, the term for online-finagling-of-personl-info.

From the above, it follows that smishing is nothing but a phishing attempt using the phone as a medium as opposed to a computer. Social engineering is used to get a phone user to do the scammers' bidding. Some examples from Wikipedia:

Notice - this is an automated message from (a local credit union), your ATM card has been suspended. To reactivate call urgent at 866-###-####

We’re confirming you've signed up for our dating service. You will be charged $2/day unless you cancel your order on this URL: www.?????.com.

(Name of popular online bank) is confirming that you have purchase a $1500 computer from (name of popular computer company). Visit www.?????.com if you did not make this online purchase

(Name of a financial institution): Your account has been suspended. Call 702.354.0818 immediately to reactivate

It's not always the element of fear that is used. The same page at Wikipedia notes that Walmart had to send an alert when smishing attempts used a $1,000 gift card from the warehouse retailer as bait.

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading
provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing
support of the AlertBoot disk encryption managed service.
Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts
University in Medford, Massachusetts, U.S.A.